Computer network security is an important issue for all types of organizations and companies. Computer break-ins and their misuse have become common features. The number, as well as the sophistication, of attacks on computer systems are on the rise. Often, computer system intruders have overcome password authentication mechanism designed to protect the system.
As the number of users within a particular entity grows, the risk of unauthorized intrusions into computer systems or into certain sensitive components of large computer systems increases. In order to maintain a reliable and secure computer system or network, regardless of the size thereof, exposure to potential network intrusions must be reduced as much as possible. Intrusions to computer system can originate from legitimate users within an entity attempting to access secure portions of the network or can originate from illegitimate users outside an entity attempting to break into the network of the entity, such illegitimate users often referred to as hackers. Intrusion from either of these two groups of users can be damaging to the computer system or network of an organization. Most attempted security violations are internal, such as attempted by employees of a company or an organization.
One approach to detecting computer system intrusion is to calculate features based on various factors, such as command sequences, user activity, machine usage loads, resource violations, files accessed, data transferred, terminal activity, network activity, among others. Features are then used as input to a model or expert system or similar system which determines whether a possible intrusion or violation has occurred. The use of features is well-known in various fields in computer science including the field of computer network security, especially in conjunction with an expert system which evaluates the feature values. Features used in present computer security systems are generally rule-based features. Such features lead to computer security systems that are inflexible, highly complex, and require frequent upgrading and maintenance. A common problem associated with previously known security systems and available methods is that they require substantial CPU and calculating capacity.
Previously known security systems, such as those based on expert systems, that use such features generally use thresholds, for instance if-then-else clauses and case statements, to determine whether an intrusion has occurred. Thus, a human expert with an extensive knowledge of the computer network domain has to accurately determine, assign and, even more bothering, regularly update such thresholds for the system to be effective. A reliable computer system must be capable of accurately determining when a possible intrusion is occurring, and of doing so by taking into account trends in user activity. Further, a security feature of a computer system must be efficient from a resource handling point of view. Otherwise, such a security feature might be forced to be turned off due to the resulting high load of the computer system.
As mentioned above, rule-based features can also be used as input to a model instead of an expert system. However, a model that can accept only rule-based features and cannot be trained to adjust to trends and changing needs in a computer network generally suffers from the same drawbacks as the expert system configuration. A model is generally used together with a features generator and accepts as input a features list. However, models generally used in computer network intrusion systems are not trained to take in account changing requirements and user trends in a computer network. Such models lead to computer security systems that are inflexible, complex and require frequent upgrading and maintenance.
A feature component of a complete network security system may have three general components: user activity, rule based system, and alert messages. User activity contain raw data, typically including aggregated log files and is raw in the sense that it is typically unmodified or has not gone through significant preprocessing. User activity has records of actions taken by users on the computer system that the organization or company wants to monitor.
The rule based system, such as an expert system, accepts input data from user activity files which acts as features in present security systems. As mentioned above, the rule based system, processes the input features and determines, based on rules, whether an intrusion has occurred or whether there is anomalous activity. In two simple examples, the rule based system can contain a rule instructing it to issue an alert message if a user attempts to write to a restricted file more than once.
An alert message is issued if a rule threshold is exceeded to inform a network security analyst that a possible intrusion may be occurring. Typically, alert message contains a score and a reason for the alert, such as which rules or thresholds were violated by a user. As stated above, these thresholds can be outdated if circumstances change in the system. For example, circumstances can change and the restricted file can be accessible to a larger group of users. In this case an expert would have to modify the rules in the rule based system.
As mentioned above, the feature and rule based systems and conventional models used in conjunction with these components have significant drawbacks. One is the cumbersome and overly complex set of rules and thresholds that must be entered and maintained to cover all the possible security violations. Another is the knowledge that an expert must have in order to update or modify the rule base and the model to reflect changing circumstances in the organization. A major drawback of such systems is that if a user fulfils the rules, a user session is considered to be made by an authorized user, even if the logged-in user is not the real world user that is associated with the authorization. Such a situation may occur if the authorized user leaves a switched-on computer during a lunch break. In such case the on-going authorized session may be taken over by another user performing an attempt to access classified information. Such user actions may very well fulfill the rules of the system, and hence the intrusion passes undetected. Another scenario is that an un-authorized user gets access to log-in details of an authorized user. Possibly the intrusion might be detected at a later stage, but then the damage to the company or the organization has already occurred. Another significant drawback is the high load that such systems cause to the monitored computer system.
An example of an approach using a neural network is disclosed in the published International patent application WO 01/31421. In order to detect harmful or illegal intrusions into a computer network or into restricted portions of a computer network a process is used for synthesizing anomalous data to be used in training a neural network-based model for use in a computer network intrusion detection system. The base for the profile relates to events such as login procedures or file accesses. The CPU load is also taken into account. The system detects anomalous behavior. A remaining problem is that does not consider the behavior of the users.
The published International patent application WO 00/54458 discloses a computer-implemented intrusion detection system and method that monitor a computer system in real-time for activity indicative of attempted or actual access by unauthorized persons or computers. The system detects unauthorized users attempting to enter into a computer system by comparing user behavior to a user profile. A remaining problem is that the disclosed method and system does not describe how to monitor and compare a known behavior of an authorized user to the behavior of the individual during a session. Rather the disclosed system and method focus on events around a log-in procedure.